ACL: How is `ImplicitMeta` rule interpreted?

Question

In the official documentation of Access Control in Hyperledger Fabric: https://hyperledger-fabric.readthedocs.io/en/latest/access_control.html

ImplicitMeta policies aggregate the result of policies

How exactly is a rule of ImplicitMeta interpreted `set-theoretically', when in conjunction with other rules ?

Example:

Policies:
  AndPolicy:
    Type:Signature
    Rule: "AND('Org1.Peer','Org2.Peer','Org3.Peer')"
  OrPolicy:
    Type:Signature
    Rule: "OR('Org1.Peer','Org2.Peer','Org3.Peer')"
  MetaPolicy:
    Type:ImplicitMeta
    Rule: "ALL OrPolicy" 

If we set the rule for MetaPolicy as "ANY AndPolicy", is it equivalent to OrPolicy?

If we set "ALL OrPolicy", is it equivalent to AndPolicy?

The syntax of ImplicitMeta rule <ALL|ANY|MAJORITY> <sub_policy> suggests that the sub_policy is a set of elements, while the Signature rule syntax like A and B and C can express a conditional expression, not a set. Thus, the exact meaning of a combination of these two rules seems unclear to me.

Answer 1

I feel like I've found an answer, albeit incomplete. Any corrections, supplements are welcomed.

If we set the rule for MetaPolicy as "ANY AndPolicy", is it equivalent to OrPolicy? If we set "ALL OrPolicy", is it equivalent to AndPolicy?

The short answer is No.

Policies in Hyperledger Fabric page, which is not linked from anywhere for some unknown reason, gives us some suggestion.

More lengthy explanation:

# The lines below are just based on my conceptual understanding, 
# therefore they may have errors in details.
Channel:
  Groups:
    Application:
      Policies:
        M:             #-----------(1)
          Type: ImplicitMeta
          Rule: "ALL P"
      Groups:
        GroupA:
          Policies:
            P:         #-----------(2)              
              Type: Signature
              Rule: "OR('SampleOrg.admin')"
        GroupB:
          Policies:
            P:         #-----------(3)
              Type: Signature
              Rule: "AND('SampleOrg.member')"

In the configuration above,

• (1) can be expressed as /Channel/Application/M.
• (2) can be expressed as /Channel/Application/GroupA/P.
• (3) can be expressed as /Channel/Application/GroupB/P.
• Let's see what (1) means.
  • Its rule is specified as ALL P, which should be interpreted as ALL subpolicies of M must be satisfied..
  • But what are subpolicies? This is the key of this answer: according to policies.html, the ImplicitMeta policy selects implicitly the sub-groups of the group where it resides. In this case, M resides in /Channel/Application, thus both (2) and (3), which are under that path, are the subpolicies.
  • An ImplicitMeta rule specifies that all/any/majority of the rules must be satisfied. In the case above, M will be satisfied only if at least one admin and all members signed.